Observations on articles I read to keep current about technology. My interests are: Privacy, security, business, the computer industry, and geeky stuff that catches my eye.

I don't think I have an agenda beyond my own amusement.

Note that I lump all my comments into a single post. This is not a typical BLOG technique, It's just an indication that I'm lazy.

Saturday, November 16, 2013

When I say, repeatedly,
that Intelligence services target everything, did you think I was
talking only about the NSA? Perhaps if I say, “Everyone wants to
know Everything about Everyone,” you'll get the picture. (This is
not only logical, it should be obvious.)

The Department of
Energy hack noted
previously on this blog may be part of a larger and longer
campaign against government agencies by members of Anonymous who
exploited an Adobe vulnerability. At least that’s what an FBI memo
seen by Reuters seems to suggest:

The
hackers exploited a flaw in Adobe Systems Inc’s software to launch
a rash of electronic break-ins that began last December, then left
“back doors” to return to many of the machines as recently as
last month, the Federal Bureau of Investigation said in a memo seen
by Reuters.

The
memo, distributed on Thursday, described the attacks as “a
widespread problem that should be addressed.” It said the breach
affected the U.S. Army, Department of Energy, Department of Health
and Human Services, and perhaps many more agencies.

Google,
Microsoft, Apple, and Facebook all have their own tracking
systems that may signal impending
doom for the traditional cookie. First-party tracking
can provide advertisers with much more accurate results than
cookies, due to the access these companies have to user data.

Online
radio service Pandora recently adopted its own cookie replacement,
and it has been pitching its data to ad exchanges for the past few
weeks, according to AdAge.

When
a user registers for a Pandora account, the (sic) provides his or her
age, gender, and zip code. The Internet radio company plans to go
through its data and develop demographics it believes advertisers
will find more attractive than the imperfect browsing habits
collected by cookies.

Taking photos (or
recording video) in public is not the issue. Posting those photos on
a website is not an issue. Suggesting that something bad (like Tony
Soprano will pay you a visit) will happen to you if your photo is on
that website IS an issue.

From the highlights of
a GAO report issued in September and just posted today on GAO’s
site:

No
overarching federal privacy law governs the collection and sale of
personal information among private-sector companies, including
information resellers. Instead, a variety of laws tailored to
specific purposes, situations, or entities governs the use, sharing,
and protection of personal information. For example, the Fair Credit
Reporting Act limits the use and distribution of personal information
collected or used to help determine eligibility for such things as
credit or employment, but does not apply to information used for
marketing. Other laws apply specifically to health care providers,
financial institutions, videotape service providers, or to the online
collection of information about children.

The
current statutory framework for consumer privacy does not fully
address new technologies–such as the tracking of online
behavior or mobile devices–and the vastly increased marketplace for
personal information, including the proliferation of information
sharing among third parties. With regard to data used for marketing,
no federal statute provides consumers the right to learn what
information is held about them and who holds it. In many
circumstances, consumers also do not have the legal right to control
the collection or sharing with third parties of sensitive personal
information (such as their shopping habits and health interests) for
marketing purposes. As a result, although some industry participants
have stated that current privacy laws are adequate–particularly in
light of self-regulatory measures under way–GAO found that gaps
exist in the current statutory framework for privacy. And that the
framework does not fully reflect the Fair Information Practice
Principles, widely accepted principles for protecting the privacy and
security of personal information that have served as a basis for many
of the privacy recommendations federal agencies have made.

Views
differ on the approach that any new privacy legislation or regulation
should take. Some privacy advocates generally have argued that a
comprehensive overarching privacy law would provide greater
consistency and address gaps in law left by the current
sector-specific approach. Other stakeholders have stated that a
comprehensive, one-size-fits-all approach to privacy would be
burdensome and inflexible. In addition, some privacy advocates
have cited the need for legislation that would provide consumers with
greater ability to access, control the use of, and correct
information about them, particularly with respect to data used for
purposes other than those for which they originally were provided.
At the same time, industry representatives have asserted that
restrictions on the collection and use of personal data would impose
compliance costs, inhibit innovation and efficiency, and reduce
consumer benefits, such as more relevant advertising and beneficial
products and services. Nonetheless, the rapid increase in the amount
and type of personal information that is collected and resold
warrants reconsideration of how well the current privacy framework
protects personal information. The challenge will be providing
appropriate privacy protections without unduly inhibiting the
benefits to consumers, commerce, and innovation that data sharing can
accord. [Or perhaps informing consumers and allowing them to
select a level of privacy they are comfortable with? Bob]

Absurd:
The Very Basic Thing It's Still Illegal to Do With Your Mobile Phone

Do you own a smart
phone? Do you know how easy it is to break the law using
only that smartphone?

It’s this easy: After
your current contract with your wireless provider (perhaps Verizon)
expires, change the software on your phone such that you can use it
to make calls with a different provider (say, T-Mobile). There, you
just broke the law.

– If you’ve ever
found yourself trying to try a product online which required a credit
card, even when you just want to take a look, then you will know why
this site is invaluable. It generates random lists of “valid”
credit card numbers, but since there is no other corresponding
information, they are useless for fraud purposes.

– is a course catalog
for online learning. The site helps you find courses for subjects
you want to learn and enables you to compare those choices easily and
pick the best one for you. They find college courses from all the
providers out there and put them in one place. They list all the
courses from Massive Open Online Courses (MOOCs) such as Coursera,
Udacity, edX, etc.

Another secret
surveillance effort that sweeps up and stores bulk data on Americans
has apparently come to light -- this time involving financial
records, and not the NSA but the Central Intelligence Agency.

The CIA program
reportedly nabs data from cross-border money transfers handled by US
companies such as Western Union in an effort to discover and track
the funding of terrorist efforts.

… Western Union
also provided the same statement to both papers: "We collect
consumer information to comply with the
Bank Secrecy Act and other laws. In doing so, we also protect
our consumers' privacy."

The Times notes that
the CIA program "offers evidence that the extent of
government data collection programs is not fully known and that
the national debate over privacy and security may be incomplete."
[Nonsense. Bob]..

I thought they were
following the Israeli model. Apparently they developed their own.
Typical government.

… In a new
report (PDF) released today, the Government Accountability Office
(GAO) concluded that "the human ability to accurately identify
deceptive behavior based on behavioral indicators is the same as or
slightly better than chance." And it dryly noted that programs
like SPOT should be "demonstrated to work reliably in their
intended environment prior to program deployment."

I can see a “kill
switch” being useful in very limited circumstances and for a very
short time. It will be interesting to see what DHS sees...

In
a Freedom of Information Act case brought by EPIC against the
Department of Homeland Security, a federal court has ruled
that the DHS may not withhold the agency’s plan to deactivate
wireless communications networks in a crisis. EPIC had sought
“Standard Operating Procedure 303,” also known as the “internet
Kill Switch,” to determine whether the agency’s plan could
adversely impact free speech or public safety. EPIC filed the FOIA
lawsuit after the agency failed to produce SOP 303. The federal
court determined that the agency wrongly claimed that it could
withhold SOP 303 as a “technique for law enforcement investigations
or prosecutions.” The phrase, the court explained, “refers only
to acts by law enforcement after or during the prevention of a crime,
not crime prevention techniques.” The court repeatedly emphasized
that FOIA exemptions are to be read narrowly. For more information,
see EPIC:
EPIC v. DHS (SOP 303) and EPIC:
FOIA.

And Joe Cadillic sends
along this report from the Washington Free Beacon:

The
Department of Homeland Security (DHS) must disclose its plans for a
so-called Internet “kill switch,” a federal court ruled on
Tuesday.

The
United States District Court for the District of Columbia rejected
the agency’s arguments that its protocols surrounding an Internet
kill switch were exempt from public disclosure and ordered the agency
to release the records in 30 days. However, the court left the door
open for the agency to appeal the ruling.

Could be an interesting
research area... Note that we are two decades after the creation of
the WWW. If Paul David is correct
(http://elsa.berkeley.edu/~bhhall/e124/David90_dynamo.pdf)
we should be seeing some fundamental changes in how we do things.
Would that include measurement?

Measuring
Internet Activity, authored by Robert Faris and Rebekah Heacock,
explores current efforts to measure digital activity within three
areas: infrastructure and access, control, and content and
communities. Two Decades after the birth of the World Wide Web,
more than two billion people around the world are Internet users.
The digital landscape is littered with hints that the affordances of
digital communications are being leveraged to transform life in
profound and important ways. The reach and influence of digitally
mediated activity grow by the day and touch upon all aspects of life,
from health, education, and commerce to religion and governance.
This trend demands that we seek answers to the biggest questions
about how digitally mediated communication changes society and the
role of different policies in helping or hindering the beneficial
aspects of these changes. Yet despite the profusion of data the
digital age has brought upon us—we now have access to a flood of
information about the movements, relationships, purchasing decisions,
interests, and intimate thoughts of people around the world—the
distance between the great questions of the digital age and our
understanding of the impact of digital communications on society
remains large. A number of ongoing policy questions have emerged that
beg for better empirical data and analyses upon which to base wider
and more insightful perspectives on the mechanics of social,
economic, and political life online. This paper seeks to describe
the conceptual and practical impediments to measuring and
understanding digital activity and highlights a sample of the many
efforts to fill the gap between our incomplete understanding of
digital life and the formidable policy questions related to
developing a vibrant and healthy Internet that serves the public
interest and contributes to human wellbeing. Our primary focus is on
efforts to measure Internet activity, as we believe obtaining robust,
accurate data is a necessary and valuable first step that will lead
us closer to answering the vitally important questions of the digital
realm. Even this step is challenging: the Internet is difficult to
measure and monitor, and there is no simple aggregate measure of
Internet activity—no GDP, no HDI. In the following section we
present a framework for assessing efforts to document digital
activity. The next three sections offer a summary and
description of many of the ongoing projects that document digital
activity, with two final sections devoted to discussion and
conclusions.”

“It’s
a good day for fair use and sane copyright law. After years of
litigation, Judge Denny Chin has
ruled that the Google Books project does not infringe copyright.
Readers, authors, librarians and future fair users can rejoice. For
years, Google has been cooperating with libraries to digitize books
and create massive, publicly available and searchable books database.
Users can search the database, which includes millions of works for
keywords. Results include titles, page numbers, and small snippets
of text. It has become an extraordinarily valuable tool for
librarians, scholars, and amateur researchers of all kinds. As the
court noted (citing an
amicus brief EFF filed jointly with several library associations)
librarians use the service for a variety of research purposes. Many
librarians reported that they have purchased new books for their
collections after discovering them through Google Books.
Nonetheless, the Authors Guild argues that its members are owed
compensation in exchange for their books being digitized and included
in the database – even though blocking Google Book Search’s
digitization wouldn’t bring any author any additional revenue.”

FREE
EBOOK: How To Start An Online Business, Sponsored By Media Temple

Start your own online
store. The latest MakeUseOf manual, sponsored by (mt)
Media Temple and written by James Bruce, teaches you everything
you need to know in order to sell your wares online – without
paying commission to eBay or Amazon.

Now, there are ways to
find
virtually any mobile app for free legally. But the best way is
to always know when an app is going on sale, whether as a discount or
free for a limited period. And if you’re on Twitter, there are a
few accounts you should be following to always keep abreast of these
discounts.

U.S.
authorities are investigating a series of cybersecurity incidents
targeting the HealthCare.gov website at the center of President
Obama’s healthcare law, a U.S. homeland security official told
Congress on Wednesday.

Roberta
Stempfley, acting assistant secretary of the Department of Homeland
Security’s Office of Cybersecurity and Communications, said her
department was aware of “about 16″ reports from the Department of
Health and Human Services – which is responsible for implementing
the healthcare law – on cybersecurity incidents related to the
website.

Testifying
before the House of Representatives Homeland Security Committee,
Stempfley also said officials were aware of an unsuccessful attempt
by hackers to organize a “denial of service” attack to overwhelm
and take down the website.

Montana
has a constitutional right to privacy and right to know. The Montana
Supreme Court concludes that lower level employees disciplined for
viewing pornography on city time on city computers had a reasonable
expectation of privacy not to be publicly disclosed, and disclosure
of their identities was not in the public interest. [That
alone should be sufficient. Bob] The Fourth Amendment
reasonable expectation of privacy analogy was not apt because of the
state privacy protection. Billings
Gazette v. City of Billings, 2013 MT 334, 2013 Mont. LEXIS 455
(November 8, 2013)*:

Google, Microsoft, and
LinkedIn are requesting oral argument on their motion to be able to
be more transparent with users about government requests for user
information.

Indeed, they seem to
have really come
out swinging in response to the government’s September 30th
response and declaration, which were submitted ex parte and
in camera, with the plaintiffs only getting a highly
redacted version of the response.

The tech giants are
asking the court to strike all the redacted sections, or in the
alternative, to give them greater access to the material so they are
fighting this on a level playing field. In their
argument, they note that there must be a legal justification for the
government to prohibit providers from sharing the data they have
already been entrusted with (i.e., the number of orders), and the
government has failed to provide that legal justification in the
redacted materials available to them.

Something strange here.
Granted the defendants exposed the data, but were they specifically
targeted or were the police looking at ALL P2P traffic? The article
suggests the latter...

There can be no expectation of privacy in data exposed to the
Internet over a peer-to-peer file-sharing network, a federal judge in
Vermont ruled in a case involving three individuals charged with
possession of child pornography.

The
three men had argued that police illegally gathered information from
their computers using an automated P2P search tool
and then used that information to obtain probable cause warrants for
searching their computers. Each of the defendants was later charged
with possession of child pornography based on evidence seized from
their computers.

The defendants
contended that the initial use of the automated P2P search tool to
gather information on the contents of their computers, constituted a
warrantless search of their systems. They maintained that police
violated Fourth Amendment provisions against unreasonable search by
looking at private files on each of their systems using the P2P
search tool.

They also argued that
several of the statements made by investigators to show probable
cause for the search warrants were based on incorrect information.

In a 39-page ruling
released Friday, District Court Judge Christina Reiss denied the
motion to suppress and held that the defendants had essentially given
up privacy claims by making the data publicly
available on the Internet over a P2P network.

"The evidence
overwhelmingly demonstrates that the only information accessed was
made publicly available by the IP address or the software it was
using," Reiss wrote. "Accordingly, either intentionally or
inadvertently, through the use of peer-to-peer file sharing software,
Defendants exposed to the public the information they now claim was
private."

The ruling is similar
to ones reached by other courts in disputes involving documents
exposed on the Internet via peer-to-peer networks. Courts in the
11th Circuit, 10th Circuit and 8th Circuit have all held that there
can be no expectation of privacy if the contents of a computer can be
accessed freely over the public Internet via a file sharing network.

Interesting. So if
(hypothetically) someone did something slightly evil and it was
traced back to a certain computer law professor, he could show harm.
If thousands of victims have their life savings threatened, they
can't?

A
woman who fought to clear her name after her identity was stolen and
she was arrested for crimes she did not commit won a lawsuit against
the county and has been awarded over $100,000 in damages.

Kimberly
Fossen’s story began nearly a decade ago when she lost her purse.
She was quick to cancel her credit cards and get new identification,
but another woman took her identity and racked up arrests under her
name in Miami-Dade and Broward counties in Florida.

Over the years, I’ve
read a number of reports of ID theft victims being arrested for
crimes they did not commit, despite their best efforts to notify
everyone of their victim status and/or despite obtaining
documentation to show law enforcement that they are an innocent
victim. It’s nice to see law enforcement held accountable for not
doing their due diligence before arresting and holding an ID theft
victim.

Follow-up to Tuesday's
blog post, where they claimed the network wasn't being used.

Following up on a
concerning report out of Seattle this week, Brendan Kiley and Matt
Fikse-Verkerk report:

The
Seattle Police Department just announced that it has begun the
process of deactivating its wireless mesh network, a
powerful tool for sending vast amounts of data that also has powerful
surveillance potential. In theory, the network (built by a
California-based company called Aruba Networks) could track and
indefinitely log the movements of any wireless device with a MAC
address (phones, laptops, tablets) that moves through its coverage
area.

The
possibility of a police department creating a historical digital map
of the city, or using such a system for real-time locating of
individuals, without governmental or civilian oversight has some
serious implications.

The
mesh network, as
The Stranger reported this week, was quietly purchased
with grant money from the Department of Homeland Security and whisked
through the Seattle City Council without any serious process of
review and approval.

But,
SPD spokesperson Sgt. Sean Whitcomb said this evening, “The
wireless mesh network will be deactivated until city council approves
a draft policy and until there’s an opportunity for vigorous
public debate.” Chief Jim Pugel gave the order to begin
the deactivation process today.

EPIC – “In a press
release, the Federal Aviation Administration announced the
“roadmap”
for the integration of drones into domestic airspace. After
considering numerous public comments on the privacy impact of aerial
drones, the FAA proposed a regulation
that requires test site operators to develop privacy policies but
does not require any specific baseline privacy protections. The
FAA rulemaking came about in response to an extensive
petition submitted by EPIC, broadly supported by civil liberties
organizations and the general public. EPIC urged
the agency to require adherence to the Fair Information Practices,
disclosure of data collection and minimization practices, and
independent audits. For more information, see EPIC:
Domestic Unmanned Aerial Vehicles (UAVs) and Drones.”

So, they want to return
to using dial-up modems on the hard wired phone system?

Via Deutsche
Welle: ”Deutsche Telekom says the scandal over US
and British eavesdropping has prompted German providers to
contemplate an inner-German or inner-European Internet. Data would
no longer be routed and stored via other continents. Germany’s
state-backed Telekom confirmed on Sunday that German providers were
discussing an Internet confined within Europe’s “Schengen”
countries. One project code-named “Clean Pipe” would help firms
to fend off industrial spies and hackers. Schengen is the Luxembourg
border town where in 1985 EU nations initiated a visa-free zone that
now encompasses 26 European countries but excludes Britain. A
Telekom spokesman told the German news agency DPA that talks were
taking place with “diverse, likely partners.” The project would
be unveiled on Monday at an information technology (IT) conference in
Bonn. According to the news magazine Der Spiegel, Telekom managers
see fewer technical setup problems than IT experts had at first
anticipated. Germany already has a project entitled “E-Mail made
in Germany” in which Telekom, United Internet and Freenet handle
messages inside
the national border.”

A question for my
lawyer friends. If I can show you cases with a high probability of a
large settlement, would you send the victims appropriately
threatening letters? Oh, wait, the RIAA already has law firms that
do that.

“Attorney bargaining
has traditionally taken place in the shadow of trial, as litigants
alter their pretrial behavior — including their willingness to
negotiate a settlement — based on perceptions of likely outcomes at
trial and anticipated litigation costs. Lawyers practicing in the
shadow of trial have, in turn, traditionally formed their perception
of the likely outcome at trial based on their knowledge of case
precedents, intuition, and previous interactions with the presiding
judge and opposing counsel in similar cases. Today, however,
technology for leveraging legal data is moving the practice of law
into the shadow of the trends and patterns observable in aggregated
litigation data. In this Article, we describe the tools that are
facilitating this paradigm shift, and examine how lawyers are using
them to forecast litigation outcomes and reduce bargaining costs. We
also explore some of the risks associated with lawyering in the
shadow of data and offer guidance to lawyers for leveraging these
tools to improve their practice. Our discussion pushes beyond the
cartoonish image of big data as a mechanical fortuneteller that tells
lawyers who will win or lose a case, supposedly eliminating research
or deliberation. We also debunk the alarmist clichés about
newfangled technologies eliminating jobs. Demand for lawyers capable
of effectively practicing law in the shadow of data will continue to
increase, as the legal profession catches up to the data-centric
approach found in other industries. Ultimately, this Article paints
a portrait of what big data really means for attorneys, and provides
a framework for exploring the theoretical implications of practicing
law in the era of big data.”

News release: “A
project providing free online access to federal court opinions has
expanded to include 64 courts. The federal Judiciary and the
Government Printing Office partner through the GPO’s Federal
Digital System, FDsys,
to provide public access to more than 750,000 opinions, many dating
back to 2004. The Judicial
Conference approved national implementation of the project in
September 2012, expanding participation from the original 29
courts. FDsys currently contains opinions from 8 appellate courts,
20 district courts, and 35 bankruptcy courts. Federal court opinions
are one of the most heavily used collections on FDsys, with millions
of retrievals each month. Opinions are pulled nightly from the
courts’ Case
Management/Electronic Case Files (CM/ECF) systems and sent to the
GPO, where they are posted on the FDsys website. Collections on
FDsys are divided into appellate, district or bankruptcy court
opinions and are text-searchable across courts. FDsys also allows
embedded animation and audio – an innovation previously only
available with opinions posted on a court’s own website or on the
Public
Access to Court Electronic Records (PACER). While the public
already can view federal court opinions for free on PACER, the FDSys
project presents just another way to make court-related information
more accessible to the public.”

Wednesday, November 13, 2013

… I have mentioned
VPN and Tor as a workaround to most forms of Internet censorship.
However, I need to issue a caveat. Recent developments in China have
demonstrated that even VPN can be blocked. In late 2012, it
was widely reported that the Great
Firewall of China is now able to learn, discover and block
encrypted network traffic from several VPN systems (not all). China
Unicom, one of the largest ISPs in China, is now terminating
connections whenever an encrypted connection is detected.

– is the first app in
the world that automatically sorts the photos on your phone. You do
not have to manually label each and every one of them – Impala
“looks” into your images and videos and recognizes what’s
inside. For instance, Impala can recognize cats, sunsets,
beaches, and so on. Impala then automatically creates photo
albums and organizes your photos.

The more you know
(measure) the better you can plan. Something for my Statistics
students.

According to Backblaze,
about one in 20 hard drives fails in the first 18 months. The
failure rate drops to just 1.4 percent after this initial break-in
period, before jumping up to 11.8 percent annually after 3 years.

Beyond that time
period, though, Backblaze doesn’t have much data—they’ve only
been around and collecting this data for four years. Still the fact
that 74 percent of hard drives that they buy last longer than 4 years
strikes me as pretty surprising. It also makes perfect sense that,
as Backblaze points out, most available hard drive warranties are
either 12 or 36 months.

… As Backblaze
doesn’t have any hard drives that are older than its company it
can only estimate that, based on the data already collected, the
median hard drive life is about six years.

For my innovative
students (and a certain Foundation
running out of cy-près
Funds?)

– Launch your own
crowdfunding page without touching a line of code. Currently
invite-only, CrowdHoster is open-source, and therefore the code
can be viewed on GitHub. It includes a funding progress bar, sharing
links, and customizable content areas. Running more than one
campaign is also possible. Continue taking preorders even after your
campaign ends.

Google Glass is slowly
coming within reach of members of the general populace who aren't
developers, celebrities, or elite early adopters.

This week, as Google
rolled out a Glass
software update that adds a new command for listening to music,
the company also quietly put a new form online that
allows anyone to add themselves to a waiting list for the Glass
Explorer program.

Perhaps there will be a
market for 3D Templates of things other than guns?

MakerBot wants to put a
3D printer in every school in the United States, and it's drumming up
support from the industry and general public to make it happen.

While 3D printing, for
now, remains a gimmick to many, it garnered enough attention for
President Barack Obama to mention the emerging technology in his
recent State of the Union Address. He described 3D printing as
having the potential to "revolutionize the way we make almost
everything."

… The US government
is also supporting MakerBot's efforts. Tom Kalil, deputy director
for technology and innovation within the White House Office of
Science and Technology Policy, said in prepared remarks: "We all
need to think creatively about giving our young people the tools to
be 'the makers of things, and not just the consumers of things.'"

And once 3D printers
start rolling out to schools? MakerBot insists the devices won't be
expensive paperweights. The company is also launching Thingverse, an
online 3D digital design community where schoolchildren can design,
share, upload, and print designs of their own.

With the initiative
launching Tuesday, individuals and corporations can donate funds
using DonorsChoose.org,
a crowdsourcing site for teachers. Pettis wants those in communities
around America to contribute to their local schools. Meanwhile,
MakerBot is offering significant discounts to lower the price point
of the 3D printing machines.

Tuesday, November 12, 2013

I’ve occasionally
mentioned that in my opinion, Texas Attorney General Greg Abbott is
one of the most activist state AGs when it comes to consumer privacy
protection. He’s now running for Governor in Texas, and his
platform does include privacy. Aman Batheja reports on a speech he
gave:

In
the most detailed speech since launching his bid for governor earlier
this year, Attorney General Greg Abbott laid out a dozen new policy
proposals Monday evening, touching on ethics reform, privacy rights,
education, guns and Obamacare.

[...]

Abbott
also proposed changes to state privacy laws. He described his
proposals as pushing back against federal and state efforts to turn
government “into Big Brother.”

“Government
agencies like the NSA, like the IRS, like the EPA, are increasingly
using tools to look at our emails, to tap into our phone calls, to
look at our financial information or our health records,” Abbott
said.

He
said he wanted to bar state agencies from selling Texans’ personal
information without their consent. Abbott described the practice as
routine at agencies including the Texas Department of Motor Vehicles
and the Texas Department of Health Services.

He
also proposed creating “a personal property right for your DNA.”

“Your
DNA belongs to you, and no one else has the right to access that
information without your consent,” Abbott said. “But the reality
is that advances in technology are threatening that privacy right…
You should have control over how your information about your DNA is
used.”

He
next waded into the debate over red light cameras, one which he
acknowledged pits those arguing the safety value of the devices
against those with privacy concerns.

“I
believe it should be up to you, the people, to decide whether red
light cameras is right for a community,” Abbott said, explaining
that he would push to change state law to allow for voters to push
for a ballot initiative to repeal a local red light camera ordinance.

Read more on Texas
Tribune. The dozens of comments on him and his record under
the news story are mainly negative.

My students say, TL;DR
(too long; didn't read) I'm saying TL;NH (too logical; never happen)
In fact, looking back through my blog, I say it quite frequently.
But even if it did, it would only impact the back end, not the
collection.

Over
at the Guardian today, Kenneth Roth—executive director of
Human Rights Watch—argues
for a a worldwide human right of privacy:

It’s
time for governments to come clean about their practices, and not
wait for the newest revelations. All should acknowledge a global
obligation to protect everyone’s privacy, clarify the limits
on their own surveillance practices (including surveillance of people
outside their own borders), and ensure they don’t trade mass
surveillance data to evade their own obligations. Of course it is
important to protect security, but western allies should agree that
mass, rather than narrowly targeted, surveillance is never a
normal or proportionate measure in a democracy.

Washington
is finally grappling with the Snowden revelations, holding hearings
and considering legislation that might help to rein in the NSA’s
seemingly unconstrained power. Some of these bills would limit or
end bulk data collection, institute greater transparency, and give
the secret court that oversees surveillance requests a more
adversarial character. These are important proposals, but none
include protection for non-Americans abroad. The US has the capacity
to routinely invade the digital lives of people the world over, but
it barely recognises any privacy interest of those outside the US
(emphasis added).

Roth’s
article echoes arguments made recently by David Cole on Just
Security (here
and here),
to which Orin Kerr responded (here
and here)
on Lawfare. I fully agree with Orin’s response to Cole,
which essentially posits that the US government’s obligation to
respect the privacy of its citizens and those within its territory
stems from a social contract not present with everyone else in the
world.

But
I’m hung up on an antecedent question in light of Roth’s and
Cole’s arguments: What if we were to accept, in Roth’s words,
that there is some “global obligation to protect everyone’s
privacy”?

Educational
institutions at all levels have begun to realize that they hold a
treasure trove of student-related information, that if analyzed using
“Big
Data” techniques, could yield valuable
insights to further their educational missions.

Of
course, as one can imagine, Big Data projects using student-related
information can implicate significant privacy issues. Schools are
regulated under the Family Educational Rights and Privacy Acts
Statute, and depending on a school’s specific activities may be
subject to GLB and HIPAA. In addition, many educational institutions
have internal policy and public-facing privacy policies that apply
to, and may limit, the collection, use and disclosure of student
personal information. The impact of applicable privacy laws and
existing privacy-related policies should be taken into account well
before engaging in a Big Data project. We have looked at Big Data
privacy issues generally before, and the following is a framework
for analyzing high level legal considerations and action items for
educational institutions considering Big Data projects involving
student-related information.

I won’t say that I’m
tired, but I just read his first sentence as “to further their
educational mistakes.” Freud is having a field day…

Matthias Gafni reports
on another case where a school district cited FERPA as a reason for
not complying with a request to disclose information about alleged
assaults on students:

In
May, about a month into her investigation of molestation allegations
against a Woodside Elementary School teacher, a Concord police
detective hit a roadblock. A Mt. Diablo school district attorney
refused to turn over a key internal report on previous abuse
allegations against popular fourth- and fifth-grade teacher Joseph
Martin.

The
detective, as recorded in portions of a police report obtained by
this newspaper, was trying to identify potential victims of Martin
when she was told she would need a search warrant to get a version of
the 2006 report without key information blocked out. Detective Tamra
Roberts reminded Deputy District Counsel Deborah Cooksey that the
district was required by law to report child abuse suspicions and the
names of potential victims. Only then did the district hand over the
unredacted report.

In
February, the Seattle Police Department announced it bought what’s
called a “mesh network,” that will be used as a dedicated
wireless network for emergency responders. What SPD did not say
is that the network is capable of tracking anyone with a device that
has a Wi-Fi connection. “They now own a piece of equipment that
has tracking capabilities so we think that they should be going to
City Council and presenting a protocol for the whole network that
says they won’t be using it for surveillance purposes,” said
Jamela Debelak of the American Civil Liberties Union.

A
spokesperson for Seattle Police said the network is not being used
right now. A draft policy is being reviewed by the city
attorney’s office and will eventually go before the City Council.

The network includes
160 wireless access points that are mounted on poles across Seattle.
Every time a device looks for a Wi-Fi signal and the access point
recognizes it, it can store that data. The manufacturer of the
network points out in a manual that the mesh network can store IP
addresses, device types, applications used by the devices, current
location, and historical location. This information can be stored
and connected for the last 1,000 times a person is connected with a
specific device. The network shows up online in public places
usually as intersections in the city such as, "4th&Pike,"
"4th&University" and "3rd&Union."

… Council member
Bruce Harrell pointed out the need for SPD to be able to collect some
of this information. "While I understand that a lot of people
have concerns about the government having access to this information,
when we have large public gatherings like the situation like in
Boston and something bad happens, the first thing we want to know is
how are we using technology to capture that information," said
Harrell. [It does no good to turn this on AFTER a
terrorist incident. Bob]

The network was bought
with a Homeland Security grant for $2.6 million. [Apparently,
DHS has a line called “Big Brother Tools” in their budget. Bob]

I enjoy reading about
lawyers analyzing other lawyers' little failures. Sorry, I'm just
built that way.

I splurged and
purchased a copy of the transcript of Thursday’s oral argument in
FTC v. Wyndham. You can download it here
(PDF, 561kB, 186 pp.). Consider it an early holiday gift from
PogoWasRight.org to you.

I look forward to
reading everyone’s reactions after we’ve all had time to read it.
I did a quick read, and here are my first impressions on some of the
issues:

“Recent revelations
about the size and scope of government
foreign surveillance efforts have prompted some to criticize the
level of scrutiny that the courts – established under the Foreign
Intelligence Surveillance Act of 1978 (FISA) – currently provide
with respect to the government’s applications to engage in such
surveillance. In response to concerns that the ex parte nature of
many of the proceedings before the FISA courts prevents an adequate
review of the government’s legal positions, some have proposed
establishing an office led by an attorney or “public advocate”
who would represent the civil liberties interests of
the general public and oppose the government’s
applications for foreign surveillance. The concept of a public
advocate is a novel one for the American legal system, and,
consequently the proposal raises several difficult questions of
constitutional law.”

An article for my
Ethical Hackers too consider. How much would it cost to encrypt
everything? Look at the list of hints and see if you can figure out
how to “guess” the password.

Adobe had a little
issue the other day with the small matter of 150 million accounts
being breached and released to the public. Whoops. So what are we
talking about? A shed load of records containing an internal ID,
username, email, encrypted password and a password hint.
Naked Security did a very good write up on Adobe’s
giant-sized cryptographic blunder in terms of what they got wrong
with their password storage so I won’t try to replicate that,
rather I’d like to take a look at the password hints.

This is an interesting
one from an application security perspective and the rationale
basically goes like this: In order to help people remember their
passwords, you give them the ability to create a “hint” or in
other words, record a piece of information that will later help them
recall their password. Password hints are an absolutely
ridiculous security measure. The whole premise that the
secret that is the password can be unlocked by referring to a
retrievable user-generated piece of text is just completely
nonsensical.

The other thing that’s
completely nonsensical is this: Whilst Adobe encrypted their
passwords (even though done poorly), password hints had absolutely no
security whatsoever. Right, so protect the password but
don’t protect the data that helps you determine the password!

When you visit
“WebsiteX.com” what other sites (e.g. Advertisers) see that
connection?

– is a Firefox add-on
that enables you to see the first and third party sites you interact
with on the Web. Using interactive visualizations, Lightbeam shows
you the relationships between these third parties and the sites you
visit. As you browse, Lightbeam reveals the full depth of the Web
today, including parts that are not transparent to the average user.

Talking to my students,
perhaps this isn't as obvious as I thought. (They never heard how
Kennedy raised the minimum wage in Massachusetts and drove the shoe
industry out of the state.)

Wharton
Public Policy commentary – “One of the most powerful
arguments for raising the minimum wage is the notion of creating a
“livable wage” that enables people to have the dignity of working
a job that pays enough to live on and support their family. Today a
person working full-time for the entire year on minimum wage earns
roughly $15,000, which puts them below the poverty line for a
two-person household. Raising the minimum wage purely as a poverty
reduction strategy is not as straightforward as it seems, however,
observers note. For one, most working-age people who live in poverty
don’t have a job, and so consequently they would not benefit from
such an increase. Second, many people who earn the minimum wage live
in households above the poverty threshold, including high school
students earning extra pocket money, retirees supplementing their
Social Security and others working part-time to add to their family’s
income.”

Via LLRX.com
- ShoppingBots
and Online Shopping Resources 2014 - Marcus
Zillman’s timely and information packed guide to ShoppingBots
and Online Shopping Resources is a comprehensive listing of
shoppingbot and online shopping/coupon resources and sites on the
Internet. Marcus also provides a value-added section of Notes and
Suggestions for Virtual Shopping to assist you with safe, effective
tools, techniques and sources to ensure your online shopping will be
successful in all its facets!

Monday, November 11, 2013

After the Adobe hack
was disclosed, I received some emails from concerned consumers asking
if there was some way they could check to find out if their details
were involved.

LastPass
has set up a page where you can input your email address and
LastPass checks the database that was dumped online to determine if
your email address was in it. Of course, we don’t know if the data
dump of over 152 million records was everything the hackers had
acquired, but it might be of some help. When in doubt, reset your
password and do NOT use “123456.”

Shanghai
police crowd more than 60 surveillance cameras on single overhead bar
watching one road; demolish most of them after media attention

Authorities in
Shanghai's Baoshan District have installed more than 60 surveillance
cameras on one four-lane section of Youyi Road, according to a
NetEase
report.

… Locals told
reporters that in April, the poles only had 24 cameras attached, in
the last few months authorities added an extra 36.

… Local
Shanghai English news portal Shanghai Daily later on Nov. 6th,
Tuesday reported that the more than 60 cameras were
installed by Shanghai Baokang Electronics Company in order to conduct
equipment tests. The company removed all the cameras after attention
was drawn to the apparent excessive surveillance being carried out on
that one road.

Something for my
Statistics students (all my Math students actually) Prepare
yourselves for the horror of having Big Money offered for your Big
Data skills.

Regardless of what you
might think of the ubiquity of the "Big Data" meme, it's
clear that the growing size of datasets is changing the way we
approach the world around us. This is true in fields from industry
to government to media to academia and virtually everywhere in
between. Our increasing abilities to gather, process, visualize, and
learn from large datasets is helping to push the boundaries of our
knowledge.

But where scientific
research is concerned, this recently accelerated shift to
data-centric science has a dark side, which boils down to this: the
skills required to be a successful scientific researcher are
increasingly indistinguishable from the skills required to be
successful in industry. While academia, with typical
inertia, gradually shifts to accommodate this, the rest of the world
has already begun to embrace and reward these skills to a much
greater degree. The unfortunate result is that some of the most
promising upcoming researchers are finding no place for themselves in
the academic community, while the for-profit world of industry stands
by with deep pockets and open arms.

Links

About Me

I live in Centennial Colorado. (I'm not actually 100 years old., but I hope to be some day.) I'm an independant computer consultant, specializing in solving problems that traditional IT personnel tend to have difficulty with... That includes everything from inventorying hardware & software, to converting systems & data, to training end-users. I particularly enjoy taking on projects that IT has attempted several times before with no success. I also teach at two local Universities: everything from Introduction to Microcomputers through Business Continuity and Security Management. My background includes IT Audit, Computer Security, and a variety of unique IT projects.